From 7c3cfbe999ebdd0e6a172e3b29c288dcf55b3092 Mon Sep 17 00:00:00 2001 From: Tom Yu <tlyu@mit.edu> Date: Tue, 12 May 2009 23:13:57 +0000 Subject: [PATCH] README and patchlevel for krb5-1.7-beta2 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22345 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 35 ++++++++++++++++++++++++++--------- src/patchlevel.h | 4 ++-- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/README b/README index 03179e4a1..070e4c3db 100644 --- a/README +++ b/README @@ -66,7 +66,8 @@ The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default -to "false" in the future. +to "false" in the future. Additional migration aids are planned for +future releases. Major changes in 1.7 -------------------- @@ -101,6 +102,7 @@ Major changes in 1.7 NTLM implementation. * KDC support for principal aliases, if the back end supports them. + Currently, only the LDAP back end supports aliases. * Microsoft set/change password (RFC 3244) protocol in kadmind. @@ -111,11 +113,9 @@ Major changes in 1.7 * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. -* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a - GSS application to delegate credentials only if permitted by KDC - policy. One minor known bug, which will probably be fixed by final - release, occurs when this functionality is used with cross-realm - authentication; see RT ticket #6473. +* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. @@ -123,7 +123,9 @@ Major changes in 1.7 Known bugs by ticket ID ----------------------- -6473 strip ok-as-delegate if not in cross-realm TGT chain +6481 kdb ldap integration removed rev/recurse kdb5_util dumps +6486 t_pac fails on SPARC Solaris +6487 gss_unwrap_iov fails in stream mode Changes by ticket ID -------------------- @@ -173,12 +175,14 @@ Changes by ticket ID 5575 don't include time.h in CredentialsCache.h if it's not needed 5578 test commit handler 5580 provide asprintf functionality for internal use +5587 PRF for non-AES enctypes 5589 krb5 trunk no longer builds on Windows - vsnprintf implementation required 5590 gss krb5 mech enhanced error messages 5593 kadmind crash on Debian AMD64 5594 Work on compiling CCAPI test suite on Windows 5595 Problems with kpasswd and an IPv6 enviroment +5596 patch for providing a way to set the ok-as-delegate flag 5598 ccs_pipe_t needs copy and release functions 5599 Added new autogenerated file to generate-files-mac target 5600 provide more useful error message when running kpropd on command line @@ -300,7 +304,7 @@ Changes by ticket ID 6120 increase rpc timeout 6121 dead code in lib/rpc/clnt_udp.c 6131 Removed argument from kipc_client_lookup_server -6133 C90 compliance +6133 don't do C99-style mixing declarations with code 6138 Switch KfM back to error tables 6140 CCAPI should use common ipc and stream code 6142 KerberosAgent dialogs jump around the screen @@ -351,6 +355,7 @@ Changes by ticket ID 6201 small leak in KDC authdata plugins 6202 kadmind leaks extended error strings 6203 DELEG_POLICY_FLAG for GSS +6210 pa_sam leaks parts of krb5_sam_challenge 6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response 6214 krb5_change_set_password not freeing chpw_rep contents 6216 Free data in tests so leaks checking is easier @@ -437,7 +442,8 @@ Changes by ticket ID 6393 Implement TGS authenticator subkey support 6397 use macros for config parameter strings 6398 remove obsolete GNU.ORG realm info -6400 [no subject] +6400 GSSAPI authdata extraction should merge ticket and + authenticator authdata 6401 send_as_req re-encodes the request 6402 CVE-2009-0845 SPNEGO can dereference a null pointer 6403 kdb5_ldap_util create segfaults when @@ -488,7 +494,18 @@ Changes by ticket ID 6468 k5_utf8s_to_ucs2s could deref NULL pointer... 6469 fcc_generate_new destroys locked mutex on error 6470 Send explicit salt for SALTTYPE_NORMAL keys +6472 typo in ksu error message +6473 strip ok-as-delegate if not in cross-realm TGT chain 6474 move kadmin, ktutil, k5srvutil man pages to man1 +6475 Adding keys to malformed keytabs can infinitely extend the file +6477 make installed headers C++-safe +6478 Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred +6479 Add DEBUG_ERROR_LOCATIONS support +6480 Do not return PREAUTH_FAILED on unknown preauth +6482 Allow more than 10 past keys to be stored by a policy +6483 man1 in title header for man1 manpages +6484 work around Heimdal not using subkey in TGS-REP +6485 document ok_as_delegate in admin.texinfo Copyright and Other Legal Notices --------------------------------- diff --git a/src/patchlevel.h b/src/patchlevel.h index 5b6949b59..0f0cd9849 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta1-postrelease" +#define KRB5_RELTAIL "beta2" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "branches/krb5-1-7" +#define KRB5_RELTAG "tags/krb5-1-7-beta2" -- 2.26.2